Disable "Forged JWT" challenge on Windows

data/datacreator.js

@@ -60,7 +60,7 @@ async function createChallenges () {
 
   await Promise.all(
     challenges.map(async ({ name, category, description, difficulty, hint, hintUrl, key, disabledEnv }) => {
-      const effectiveDisabledEnv = utils.determineDisabledContainerEnv(disabledEnv)
+      const effectiveDisabledEnv = utils.determineDisabledEnv(disabledEnv)
       description = description.replace('juice-sh.op', config.get('application.domain'))
       description = description.replace('<iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe>', entities.encode(config.get('challenges.xssBonusPayload')))
       hint = hint.replace(/OWASP Juice Shop's/, `${config.get('application.name')}'s`)

data/static/challenges.yml

@@ -237,6 +237,8 @@
   hint: 'This challenge is explicitly not about acquiring the RSA private key used for JWT signing.'
   hintUrl: 'https://pwning.owasp-juice.shop/part2/vulnerable-components.html#forge-an-almost-properly-rsa-signed-jwt-token'
   key: jwtForgedChallenge
+  disabledEnv:
+    - Windows
 -
   name: 'Forgotten Developer Backup'
   category: 'Sensitive Data Exposure'

frontend/src/app/challenge-status-badge/challenge-status-badge.component.html

@@ -28,7 +28,8 @@
 <button *ngIf="challenge.disabledEnv" [id]="challenge.name + '.unavailable'" mat-raised-button
         [matTooltip]="challenge.hint" matTooltipPosition="above">
   <span>
-    <i class="{{ 'icon-' + challenge.disabledEnv?.toString().toLowerCase() }}"></i>
+    <i *ngIf="challenge.disabledEnv !== 'Windows'" class="{{ 'icon-' + challenge.disabledEnv?.toString().toLowerCase() }}"></i>
+    <i *ngIf="challenge.disabledEnv === 'Windows'" class="{{ 'fab fa-' + challenge.disabledEnv?.toString().toLowerCase() }}"></i>
     {{'STATUS_UNAVAILABLE' | translate}}
   </span>
 </button>

frontend/src/app/challenge-status-badge/challenge-status-badge.component.ts

@@ -6,6 +6,11 @@
 import { Component, Input } from '@angular/core'
 import { WindowRefService } from '../Services/window-ref.service'
 import { ChallengeService } from '../Services/challenge.service'
+import { dom, library } from '@fortawesome/fontawesome-svg-core'
+import { faWindows } from '@fortawesome/free-brands-svg-icons'
+
+library.add(faWindows)
+dom.watch()
 
 import { Challenge } from '../Models/challenge.model'
 

frontend/src/assets/i18n/en.json

@@ -188,7 +188,7 @@
   "ADD_BASKET": "Add to Basket",
   "BTN_SHOW_ALL": "Show all",
   "BTN_SHOW_UNAVAILABLE": "Show unavailable",
-  "INFO_DISABLED_CHALLENGES": "{{num}} challenges are unavailable on {{env}} due to <a href='https://pwning.owasp-juice.shop/part1/challenges.html#potentially-dangerous-challenges'>security concerns</a>!",
+  "INFO_DISABLED_CHALLENGES": "{{num}} challenges are unavailable on {{env}} due to <a href='https://pwning.owasp-juice.shop/part1/challenges.html#potentially-dangerous-challenges'>security concerns</a> or technical incompatibility!",
   "BTN_HIDE_ALL": "Hide all",
   "TYPE_THESE_LETTERS": "Type these {{length}} letters",
   "BTN_REQUEST": "Request",

lib/utils.js

@@ -19,6 +19,7 @@ const crypto = require('crypto')
 const clarinet = require('clarinet')
 const isDocker = require('is-docker')
 const isHeroku = require('is-heroku')
+const isWindows = require('is-windows')
 const logger = require('../lib/logger')
 
 const months = ['JAN', 'FEB', 'MAR', 'APR', 'MAY', 'JUN', 'JUL', 'AUG', 'SEP', 'OCT', 'NOV', 'DEC']
@@ -205,11 +206,17 @@ exports.disableOnContainerEnv = () => {
   return (isDocker() || isHeroku) && !config.get('challenges.safetyOverride')
 }
 
-exports.determineDisabledContainerEnv = (disabledEnv) => {
+exports.disableOnWindowsEnv = () => {
+  return isWindows()
+}
+
+exports.determineDisabledEnv = (disabledEnv) => {
   if (isDocker()) {
     return disabledEnv && (disabledEnv === 'Docker' || disabledEnv.includes('Docker')) ? 'Docker' : null
   } else if (isHeroku) {
     return disabledEnv && (disabledEnv === 'Heroku' || disabledEnv.includes('Heroku')) ? 'Heroku' : null
+  } else if (isWindows()) {
+    return disabledEnv && (disabledEnv === 'Windows' || disabledEnv.includes('Windows')) ? 'Windows' : null
   }
   return null
 }

package.json

@@ -75,6 +75,7 @@
     "i18n": "^0.8.5",
     "is-docker": "^2.0.0",
     "is-heroku": "^2.0.0",
+    "is-windows": "^1.0.2",
     "js-yaml": "^3.13.1",
     "jsonwebtoken": "0.4.0",
     "jssha": "^2.3.1",

routes/verify.js

@@ -68,7 +68,7 @@ exports.jwtChallenges = () => (req, res, next) => {
   if (utils.notSolved(challenges.jwtUnsignedChallenge)) {
     jwtChallenge(challenges.jwtUnsignedChallenge, req, 'none', /jwtn3d@/)
   }
-  if (utils.notSolved(challenges.jwtForgedChallenge)) {
+  if (!utils.disableOnWindowsEnv() && utils.notSolved(challenges.jwtForgedChallenge)) {
     jwtChallenge(challenges.jwtForgedChallenge, req, 'HS256', /rsa_lord@/)
   }
   next()

test/e2e/forgedJwtSpec.js

@@ -2,6 +2,7 @@
  * Copyright (c) 2014-2020 Bjoern Kimminich.
  * SPDX-License-Identifier: MIT
  */
+const utils = require('../../lib/utils')
 
 describe('/', () => {
   describe('challenge "jwtUnsigned"', () => {
@@ -13,12 +14,14 @@ describe('/', () => {
     protractor.expect.challengeSolved({ challenge: 'Unsigned JWT' })
   })
 
-  describe('challenge "jwtForged"', () => {
-    it('should accept a token HMAC-signed with public RSA key with email [email protected] in the payload ', () => {
-      browser.executeScript('localStorage.setItem("token", "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImVtYWlsIjoicnNhX2xvcmRAanVpY2Utc2gub3AifSwiaWF0IjoxNTgzMDM3NzExfQ.gShXDT5TrE5736mpIbfVDEcQbLfteJaQUG7Z0PH8Xc8")')
-      browser.get('/#/')
-    })
+  if (!utils.disableOnWindowsEnv()) {
+    describe('challenge "jwtForged"', () => {
+      it('should accept a token HMAC-signed with public RSA key with email [email protected] in the payload ', () => {
+        browser.executeScript('localStorage.setItem("token", "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImVtYWlsIjoicnNhX2xvcmRAanVpY2Utc2gub3AifSwiaWF0IjoxNTgzMDM3NzExfQ.gShXDT5TrE5736mpIbfVDEcQbLfteJaQUG7Z0PH8Xc8")')
+        browser.get('/#/')
+      })
 
-    protractor.expect.challengeSolved({ challenge: 'Forged Signed JWT' })
-  })
+      protractor.expect.challengeSolved({ challenge: 'Forged Signed JWT' })
+    })
+  }
 })

test/server/verifySpec.js

@@ -11,6 +11,7 @@ chai.use(sinonChai)
 const cache = require('../../data/datacache')
 const insecurity = require('../../lib/insecurity')
 const config = require('config')
+const utils = require('../../lib/utils')
 
 describe('verify', () => {
   const verify = require('../../routes/verify')
@@ -281,37 +282,39 @@ describe('verify', () => {
       expect(challenges.jwtForgedChallenge.solved).to.equal(false)
     })
 
-    it('"jwtForgedChallenge" is solved when forged token HMAC-signed with public RSA-key has email [email protected] in the payload', () => {
-      /*
-      Header: { "alg": "HS256", "typ": "JWT" }
-      Payload: { "data": { "email": "rsa_lord@juice-sh.op" }, "iat": 1508639612, "exp": 9999999999 }
-       */
-      this.req.headers = { authorization: 'Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImVtYWlsIjoicnNhX2xvcmRAanVpY2Utc2gub3AifSwiaWF0IjoxNTgyMjIxNTc1fQ.ycFwtqh4ht4Pq9K5rhiPPY256F9YCTIecd4FHFuSEAg' }
+    if (!utils.disableOnWindowsEnv()) {
+      it('"jwtForgedChallenge" is solved when forged token HMAC-signed with public RSA-key has email [email protected] in the payload', () => {
+        /*
+        Header: { "alg": "HS256", "typ": "JWT" }
+        Payload: { "data": { "email": "rsa_lord@juice-sh.op" }, "iat": 1508639612, "exp": 9999999999 }
+         */
+        this.req.headers = { authorization: 'Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImVtYWlsIjoicnNhX2xvcmRAanVpY2Utc2gub3AifSwiaWF0IjoxNTgyMjIxNTc1fQ.ycFwtqh4ht4Pq9K5rhiPPY256F9YCTIecd4FHFuSEAg' }
 
-      verify.jwtChallenges()(this.req, this.res, this.next)
+        verify.jwtChallenges()(this.req, this.res, this.next)
 
-      expect(challenges.jwtForgedChallenge.solved).to.equal(true)
-    })
+        expect(challenges.jwtForgedChallenge.solved).to.equal(true)
+      })
 
-    it('"jwtForgedChallenge" is solved when forged token HMAC-signed with public RSA-key has string "rsa_lord@" in the payload', () => {
-      /*
-      Header: { "alg": "HS256", "typ": "JWT" }
-      Payload: { "data": { "email": "rsa_lord@" }, "iat": 1508639612, "exp": 9999999999 }
-       */
-      this.req.headers = { authorization: 'Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImVtYWlsIjoicnNhX2xvcmRAIn0sImlhdCI6MTU4MjIyMTY3NX0.50f6VAIQk2Uzpf3sgH-1JVrrTuwudonm2DKn2ec7Tg8' }
+      it('"jwtForgedChallenge" is solved when forged token HMAC-signed with public RSA-key has string "rsa_lord@" in the payload', () => {
+        /*
+        Header: { "alg": "HS256", "typ": "JWT" }
+        Payload: { "data": { "email": "rsa_lord@" }, "iat": 1508639612, "exp": 9999999999 }
+         */
+        this.req.headers = { authorization: 'Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImVtYWlsIjoicnNhX2xvcmRAIn0sImlhdCI6MTU4MjIyMTY3NX0.50f6VAIQk2Uzpf3sgH-1JVrrTuwudonm2DKn2ec7Tg8' }
 
-      verify.jwtChallenges()(this.req, this.res, this.next)
+        verify.jwtChallenges()(this.req, this.res, this.next)
 
-      expect(challenges.jwtForgedChallenge.solved).to.equal(true)
-    })
+        expect(challenges.jwtForgedChallenge.solved).to.equal(true)
+      })
 
-    it('"jwtForgedChallenge" is not solved when token regularly signed with private RSA-key has email [email protected] in the payload', () => {
-      const token = insecurity.authorize({ data: { email: '[email protected]' } })
-      this.req.headers = { authorization: 'Bearer ' + token }
+      it('"jwtForgedChallenge" is not solved when token regularly signed with private RSA-key has email [email protected] in the payload', () => {
+        const token = insecurity.authorize({ data: { email: '[email protected]' } })
+        this.req.headers = { authorization: 'Bearer ' + token }
 
-      verify.jwtChallenges()(this.req, this.res, this.next)
+        verify.jwtChallenges()(this.req, this.res, this.next)
 
-      expect(challenges.jwtForgedChallenge.solved).to.equal(false)
-    })
+        expect(challenges.jwtForgedChallenge.solved).to.equal(false)
+      })
+    }
   })
 })